From d553a3c6f69c1110b37196632e47cb6ffd10e406 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Thu, 23 Feb 2012 15:30:39 -0800
Subject: [PATCH] fix strange bug when using predicates and events at the same
 time on a tablefilter.

Testcase is now more involved.
---
 src/input/Manager.cc                          |  52 +++--
 .../scripts.base.frameworks.input.reread/out  | 212 +++++++++++++++++-
 .../scripts/base/frameworks/input/reread.bro  |  10 +-
 3 files changed, 249 insertions(+), 25 deletions(-)

diff --git a/src/input/Manager.cc b/src/input/Manager.cc
index 9dba56b174..b709d26ea8 100644
--- a/src/input/Manager.cc
+++ b/src/input/Manager.cc
@@ -364,20 +364,21 @@ bool Manager::AddTableFilter(EnumVal *id, RecordVal* fval) {
 	}
 
 
-	Val* name = fval->Lookup(rtype->FieldOffset("name"));
-	Val* pred = fval->Lookup(rtype->FieldOffset("pred"));
+	Val* name = fval->LookupWithDefault(rtype->FieldOffset("name"));
+	Val* pred = fval->LookupWithDefault(rtype->FieldOffset("pred"));
 
-	RecordType *idx = fval->Lookup(rtype->FieldOffset("idx"))->AsType()->AsTypeType()->Type()->AsRecordType();
+	RecordType *idx = fval->LookupWithDefault(rtype->FieldOffset("idx"))->AsType()->AsTypeType()->Type()->AsRecordType();
 	RecordType *val = 0;
 	if ( fval->Lookup(rtype->FieldOffset("val")) != 0 ) {
-		val = fval->Lookup(rtype->FieldOffset("val"))->AsType()->AsTypeType()->Type()->AsRecordType();
+		val = fval->LookupWithDefault(rtype->FieldOffset("val"))->AsType()->AsTypeType()->Type()->AsRecordType();
 	}
-	TableVal *dst = fval->Lookup(rtype->FieldOffset("destination"))->AsTableVal();
+	TableVal *dst = fval->LookupWithDefault(rtype->FieldOffset("destination"))->AsTableVal();
 
 	Val *want_record = fval->LookupWithDefault(rtype->FieldOffset("want_record"));
 
-	Val* event_val = fval->Lookup(rtype->FieldOffset("ev"));
+	Val* event_val = fval->LookupWithDefault(rtype->FieldOffset("ev"));
 	Func* event = event_val ? event_val->AsFunc() : 0;
+	Unref(event_val);
 	
 	if ( event ) {
 		FuncType* etype = event->FType()->AsFuncType();
@@ -450,14 +451,17 @@ bool Manager::AddTableFilter(EnumVal *id, RecordVal* fval) {
 	filter->pred = pred ? pred->AsFunc() : 0;
 	filter->num_idx_fields = idxfields;
 	filter->num_val_fields = valfields;
-	filter->tab = dst->Ref()->AsTableVal();
-	filter->rtype = val ? val->Ref()->AsRecordType() : 0;
-	filter->itype = idx->Ref()->AsRecordType();
+	filter->tab = dst->AsTableVal();
+	filter->rtype = val ? val->AsRecordType() : 0;
+	filter->itype = idx->AsRecordType();
 	filter->event = event ? event_registry->Lookup(event->GetID()->Name()) : 0;
 	filter->currDict = new PDict(InputHash);
 	filter->lastDict = new PDict(InputHash);
 	filter->want_record = ( want_record->InternalInt() == 1 );
+
 	Unref(want_record); // ref'd by lookupwithdefault
+	Unref(name);
+	Unref(pred);
 
 	if ( valfields > 1 ) {
 		assert(filter->want_record);
@@ -861,7 +865,7 @@ int Manager::SendEntryTable(const ReaderFrontend* reader, const int id, const Va
 			}
 		}
 
-	}
+	} 
 	
 
 	Val* oldval = 0;
@@ -948,16 +952,16 @@ void Manager::EndCurrentSend(const ReaderFrontend* reader, int id) {
 			val = filter->tab->Lookup(idx);
 			assert(val != 0);
 		}
+		int startpos = 0;
+		Val* predidx = ListValToRecordVal(idx, filter->itype, &startpos);
+		EnumVal* ev = new EnumVal(BifEnum::Input::EVENT_REMOVED, BifType::Enum::Input::Event);
 
+		
 		if ( filter->pred ) {
-
-			bool doBreak = false;
 			// ask predicate, if we want to expire this element...
 
-			EnumVal* ev = new EnumVal(BifEnum::Input::EVENT_REMOVED, BifType::Enum::Input::Event);
-			//Ref(idx);
-			int startpos = 0;
-			Val* predidx = ListValToRecordVal(idx, filter->itype, &startpos);
+			Ref(ev);
+			Ref(predidx);
 			Ref(val);
 
 			val_list vl(3);
@@ -971,21 +975,23 @@ void Manager::EndCurrentSend(const ReaderFrontend* reader, int id) {
 			if ( result == false ) {
 				// Keep it. Hence - we quit and simply go to the next entry of lastDict
 				// ah well - and we have to add the entry to currDict...
+				Unref(predidx);
+				Unref(ev);
 				filter->currDict->Insert(lastDictIdxKey, filter->lastDict->RemoveEntry(lastDictIdxKey));
 				continue;
-			}
-
-
-		}
+			} 
+		} 
 
 		if ( filter->event ) {
-			int startpos = 0;
-			Val* predidx = ListValToRecordVal(idx, filter->itype, &startpos);
+			Ref(predidx);
 			Ref(val);
-			EnumVal *ev = new EnumVal(BifEnum::Input::EVENT_REMOVED, BifType::Enum::Input::Event);
+			Ref(ev);
 			SendEvent(filter->event, 3, ev, predidx, val);
 		}
 
+		Unref(predidx);
+		Unref(ev);
+
 		filter->tab->Delete(ih->idxkey);
 		filter->lastDict->Remove(lastDictIdxKey); // deletex in next line
 		delete(ih);
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.reread/out b/testing/btest/Baseline/scripts.base.frameworks.input.reread/out
index b844990978..f244f11a73 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.input.reread/out
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.reread/out
@@ -1,3 +1,18 @@
+============PREDICATE============
+Input::EVENT_NEW
+[i=-42]
+[b=T, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={
+2,
+4,
+1,
+3
+}, ss={
+CC,
+AA,
+BB
+}, se={
+
+}, vc=[10, 20, 30], ve=[]]
 ============EVENT============
 Input::EVENT_NEW
 [i=-42]
@@ -28,6 +43,21 @@ BB
 
 }, vc=[10, 20, 30], ve=[]]
 }
+============PREDICATE============
+Input::EVENT_NEW
+[i=-43]
+[b=T, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={
+2,
+4,
+1,
+3
+}, ss={
+CC,
+AA,
+BB
+}, se={
+
+}, vc=[10, 20, 30], ve=[]]
 ============EVENT============
 Input::EVENT_NEW
 [i=-43]
@@ -70,6 +100,21 @@ BB
 
 }, vc=[10, 20, 30], ve=[]]
 }
+============PREDICATE============
+Input::EVENT_CHANGED
+[i=-43]
+[b=F, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={
+2,
+4,
+1,
+3
+}, ss={
+CC,
+AA,
+BB
+}, se={
+
+}, vc=[10, 20, 30], ve=[]]
 ============EVENT============
 Input::EVENT_CHANGED
 [i=-43]
@@ -112,6 +157,21 @@ BB
 
 }, vc=[10, 20, 30], ve=[]]
 }
+============PREDICATE============
+Input::EVENT_NEW
+[i=-44]
+[b=F, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={
+2,
+4,
+1,
+3
+}, ss={
+CC,
+AA,
+BB
+}, se={
+
+}, vc=[10, 20, 30], ve=[]]
 ============EVENT============
 Input::EVENT_NEW
 [i=-44]
@@ -126,6 +186,21 @@ AA,
 BB
 }, se={
 
+}, vc=[10, 20, 30], ve=[]]
+============PREDICATE============
+Input::EVENT_NEW
+[i=-45]
+[b=F, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={
+2,
+4,
+1,
+3
+}, ss={
+CC,
+AA,
+BB
+}, se={
+
 }, vc=[10, 20, 30], ve=[]]
 ============EVENT============
 Input::EVENT_NEW
@@ -142,7 +217,7 @@ BB
 }, se={
 
 }, vc=[10, 20, 30], ve=[]]
-============EVENT============
+============PREDICATE============
 Input::EVENT_NEW
 [i=-46]
 [b=F, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={
@@ -159,6 +234,21 @@ BB
 }, vc=[10, 20, 30], ve=[]]
 ============EVENT============
 Input::EVENT_NEW
+[i=-46]
+[b=F, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={
+2,
+4,
+1,
+3
+}, ss={
+CC,
+AA,
+BB
+}, se={
+
+}, vc=[10, 20, 30], ve=[]]
+============PREDICATE============
+Input::EVENT_NEW
 [i=-47]
 [b=F, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={
 2,
@@ -171,6 +261,36 @@ AA,
 BB
 }, se={
 
+}, vc=[10, 20, 30], ve=[]]
+============EVENT============
+Input::EVENT_NEW
+[i=-47]
+[b=F, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={
+2,
+4,
+1,
+3
+}, ss={
+CC,
+AA,
+BB
+}, se={
+
+}, vc=[10, 20, 30], ve=[]]
+============PREDICATE============
+Input::EVENT_NEW
+[i=-48]
+[b=F, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={
+2,
+4,
+1,
+3
+}, ss={
+CC,
+AA,
+BB
+}, se={
+
 }, vc=[10, 20, 30], ve=[]]
 ============EVENT============
 Input::EVENT_NEW
@@ -274,6 +394,96 @@ BB
 
 }, vc=[10, 20, 30], ve=[]]
 }
+============PREDICATE============
+Input::EVENT_REMOVED
+[i=-43]
+[b=F, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={
+2,
+4,
+1,
+3
+}, ss={
+CC,
+AA,
+BB
+}, se={
+
+}, vc=[10, 20, 30], ve=[]]
+============PREDICATE============
+Input::EVENT_REMOVED
+[i=-46]
+[b=F, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={
+2,
+4,
+1,
+3
+}, ss={
+CC,
+AA,
+BB
+}, se={
+
+}, vc=[10, 20, 30], ve=[]]
+============PREDICATE============
+Input::EVENT_REMOVED
+[i=-44]
+[b=F, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={
+2,
+4,
+1,
+3
+}, ss={
+CC,
+AA,
+BB
+}, se={
+
+}, vc=[10, 20, 30], ve=[]]
+============PREDICATE============
+Input::EVENT_REMOVED
+[i=-47]
+[b=F, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={
+2,
+4,
+1,
+3
+}, ss={
+CC,
+AA,
+BB
+}, se={
+
+}, vc=[10, 20, 30], ve=[]]
+============PREDICATE============
+Input::EVENT_REMOVED
+[i=-45]
+[b=F, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={
+2,
+4,
+1,
+3
+}, ss={
+CC,
+AA,
+BB
+}, se={
+
+}, vc=[10, 20, 30], ve=[]]
+============PREDICATE============
+Input::EVENT_REMOVED
+[i=-42]
+[b=T, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, sc={
+2,
+4,
+1,
+3
+}, ss={
+CC,
+AA,
+BB
+}, se={
+
+}, vc=[10, 20, 30], ve=[]]
 ============EVENT============
 Input::EVENT_REMOVED
 [i=-43]
diff --git a/testing/btest/scripts/base/frameworks/input/reread.bro b/testing/btest/scripts/base/frameworks/input/reread.bro
index 8e573494fd..742d68605b 100644
--- a/testing/btest/scripts/base/frameworks/input/reread.bro
+++ b/testing/btest/scripts/base/frameworks/input/reread.bro
@@ -107,7 +107,15 @@ event bro_init()
 	try = 0;
 	# first read in the old stuff into the table...
 	Input::create_stream(A::INPUT, [$source="../input.log", $mode=Input::REREAD]);
-	Input::add_tablefilter(A::INPUT, [$name="ssh", $idx=Idx, $val=Val, $destination=servers, $ev=line]);
+	Input::add_tablefilter(A::INPUT, [$name="ssh", $idx=Idx, $val=Val, $destination=servers, $ev=line,
+	$pred(typ: Input::Event, left: Idx, right: Val) = { 
+	print outfile, "============PREDICATE============";
+	print outfile, typ;
+	print outfile, left;
+	print outfile, right;
+	return T;
+	}
+	]);
 }